Content
It’s easy to assume that because an email service provider (ESP) is reputable, it would be immune to suspicious or malicious traffic, but that isn’t the case. Even trusted legitimate ESPs are evaluated based on historical patterns, not intent, as discussed in the post, Email compliance & reputation - The inbox remembers. This isn't necessarily because they are negligent, but rather because scale changes risk. At small volumes, anomalies are easier to spot. Suspicious signups, sudden spikes in traffic, or unusual complaint patterns are easier to isolate and investigate.
As volume grows, those same warning signs can hide in what appears to be legitimate growth. Abusers blend into shared pools with thousands of legitimate users, benefitting from the positive IP reputation built by good senders. At the same time, onboarding and vetting new clients takes longer, increasing the chances of details being missed. More accounts also mean more credentials that can be compromised.
Growth multiplies complexity, complexity multiples risk.
How abuse spreads (The neighbourhood effect)
Once abuse enters a shared infrastructure, legitimate customers suffer from what can only be described as the “neighborhood effect,” where innocent senders are penalized, trust erodes, and shared reputation becomes contaminated.
In a shared environment, reputation is not entirely individual. IP ranges, sending pools, domains and infrastructure history are evaluated together. When one sender behaves maliciously, the signals do not remain isolated. Increased complaints, spam trap hits, or malicious campaigns from a single sender can trigger increased filtering at the IP or network level. Filters react by tightening controls across the entire pool or network. So, what can you do?
In a shared environment, waiting until abuse appears is already too late. Traditional signals, such as complaint rates, bounce spikes, and engagement drops, are inherently reactive. By the time they surface, the reputation of shared infrastructure may already be degraded. The key is to detect risky behavior early and identify emerging threats before they can impact the entire infrastructure.
Proactive detection
Effective abuse detection requires a proactive multi-layered approach, with constant evaluation of sender reputation and message content. Here’s some examples of proactive defense using Spamhaus datasets:
Identify recently registered domains used in phishing, using the Zero Reputation Domains Dataset (ZRD): newly registered or newly observed domains (included for 24 hours).
Connect the dots with Passive DNS, for historical and relational context needed to uncover freshly registered domains, recycled infrastructure, and stolen identities, issues that checks at signup will often miss.
Detect malicious domains and URLs embedded in content with the Low Reputation Domains Dataset (Domain Blocklist, DBL): domains and hosts used for suspicious or malicious activity.
Identify compromised infrastructure and injection attacks by leveraging the Compromised IPs Dataset (XBL): IP addresses exhibiting signs of compromise, which can include downloaded malware, security vulnerabilities allowing unauthorized access, etc.
By correlating infrastructure data with content intelligence, abuse teams can detect problematic campaigns before complaint rates spike and infrastructure reputation declines. This helps to reduce collateral damage to legitimate customers that share the same infrastructure.
Strengthen defenses against growing trends
The threat from residential proxy networks is no longer theoretical. In January 2026, Google dismantled IPIDEA, one of the largest such networks after tracking over 550 threat groups routing attacks through millions of compromised consumer devices. Only days ago, the FBI issued a public warning that these networks are now standard infrastructure for credential stuffing, phishing, and botnet command and controller obfuscation.
For shared email infrastructure, two attack patterns stand out:
- Use of residential proxies for malicious signups and sending activity
Networks mask the true source of traffic, making it harder to trace abuse back to the source. Spamhaus’ Compromised IPs Dataset (Exploits Blocklist, XBL) tracks compromised devices and botnet infrastructure, helping identify suspicious sign-ups before abuse grows.
- Use of freemail accounts in fraudulent operations
Malicious actors frequently rely on freemail accounts to set up low cost, disposable identities, which make it easier to conduct large scale fraudulent campaigns. Spamhaus’ Low Reputation Resources Dataset (Hash Blocklist, HBL) tracks email addresses (including freemail), crypto wallets and other hashed identifiers linked to scams, compromised accounts, advance fee fraud and phishing campaigns.
These datasets are powerful not only at onboarding but also for outbound filtering.
Data is your friend
Being able to take action depends on visibility. Intent cannot be measured directly, and trust alone is not enough, therefore abuse prevention relies on continuously analyzing observed behavior across infrastructure and traffic.
The following can be measured:
- Engagement trends
- Complaint rates
- Bounce patterns
- Spam trap exposure
- Authentication alignment
- Infrastructure history
- External threat intelligence
Utilizing this data doesn’t necessarily mean harsher enforcement, it just means better context. It narrows the gap between the first warning signal and effective corrective actions.
However, working with data at scale can be overwhelming.
Large volumes of data, especially when combined with external threat intelligence, can be difficult to process, whether you’re enhancing an existing reputation system or building one from the ground up. This is where Spamhaus data, supported by Spamhaus Consultancy services, helps teams not only identify risks, but understand them and how to respond.
For platforms operating at scale, protective intelligence is no longer an option. It’s essential for long-term resilience and survival.